Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

how to provide static ip address for external system to whitelist my ec2 in private subnet ip address in aws?

0

Hi all

how to provide static ip address for external system to whitelist my ec2 in private subnet ip address in aws?

The request traffic always flow from our server to the external vendor that has the while-list.

THANKS

Topics
Compute
Tags
Amazon EC2
Language
English
asked a month ago106 views
2 Answers
0
Accepted Answer

If your EC2 instance is in a private subnet, it doesn’t have a public IP and can't be directly accessed from the internet. However, if you want external systems to whitelist a fixed public IP to allow outbound communication from your EC2 (e.g., for APIs, SFTP, databases), you have two sure-shot options:

Option 1: Use a NAT Gateway with an Elastic IP (Recommended for Scalability) Create an Elastic IP Go to EC2 → Elastic IPs → Allocate new address.

Create a NAT Gateway in a public subnet

Attach the Elastic IP to the NAT Gateway.

Ensure the subnet has a route to the internet via the Internet Gateway.

Route private subnet traffic to the NAT Gateway

In your private subnet’s route table, add:

Destination: 0.0.0.0/0 Target: <your NAT Gateway> Test outbound traffic Any EC2 instance in the private subnet will now go out via the NAT Gateway, and appear from the Elastic IP. Share this Elastic IP with external parties to whitelist.

Option 2: Use a Proxy or Bastion Host with EIP (For Inbound Access Needs) If the external system needs to initiate the connection (e.g., SSH, HTTP calls to your EC2), do the following:

Launch a bastion host or reverse proxy in a public subnet, attach an Elastic IP.

Set up routing, security groups, and possibly a proxy tool (like NGINX, HAProxy, or SSM port forwarding) to forward or relay traffic to the private EC2.

Give the Elastic IP of the bastion to external systems to whitelist.

Generic Security Notes Always restrict NAT/Bastion security groups to the required IPs and ports. Use AWS Systems Manager (SSM) for secure access to private EC2s when possible; there is no need for bastions or public IPs.

answered a month ago
EXPERT
reviewed a month ago
  • Sonic
    a month ago

    @Manvitha Potluri @Riku_Kobayashi Ah so you mean the EIP assigned to the NAT Gateway can be used as whitelisting? The request traffic always flow from our server to the external vendor that has the whilelist.

  • Riku_Kobayashi EXPERT
    a month ago

    If the external service is some kind of SaaS product, communication will likely occur over a public network. In other words, for example, if you want to whitelist a fixed IP address to access an external service from EC2 or another instance in your VPC, you will need to use a NAT Gateway or similar.

0

Hello.

Will the connection to the external service be accessed via a public network?
In that case, you will probably need to connect using a public IP address via a NAT Gateway, as @Manvitha Potluri mentioned.
If the connection to the external service is via a private network using a Site to Site VPN or similar, then a private IP address can be used, but if not, a public IP address will be required.
The configuration image is as shown in the following document.
https://docs.aws.amazon.com/vpc/latest/userguide/nat-gateway-scenarios.html

EXPERT
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content